Low tech 'visual hacking' successful nine times out of ten
Traverse City-based Ponemon Institute sent researchers to 43 offices belonging to seven large corporations who had previously agreed to participate in benchmarking research. The researchers had valid identification as temporary employees, and management knew they were coming -- though the office staff did not.
The researchers spent up to two hours in each office, wandering around, taking pictures of computer screens, and picking up documents marked "confidential" and putting them in their bags -- all deliberately within full view of the regular employees.
In the vast majority of the cases, the regular office staff did not ask any questions or confront the researcher in any way.
Even when the researcher pulled up an Excel spreadsheet on a computer and took a picture of it with their cellphone, most workers did not react.
"We expected to see someone say, 'Hey, what are you doing here' at that point," said Larry Ponemon, chairman and founder of the institute.
But out of 43 trials, the researcher was confronted by a company employee only seven times when taking pictures of the screen, only four times when it looked like they were stealing confidential documents, and only twice when wandering around looking at things on people's desks, computer monitors, and at printers, copiers and fax machines.
And there was only one case where the strange behavior was actually reported to management.
Information collected include staff directories, customer information, financial data, access and login credentials and confidential documents.
Success rates varied based on the layout of the office, and what type of work was conducted there, said Ponemon.
For example, open-plan offices made it easier for researchers to gather information compared to those with private offices or cubicles.
Areas related to customer service, communications and sales management were also more vulnerable, while legal and and accounting and finance were least vulnerable.
IT help desks and data center operations fell roughly in the middle.
The five offices where the researchers were able to get nothing at all were all R&D departments.
The study was sponsored by 3M, and one of the things that the researchers looked at was whether computer monitor privacy screens make a difference.
"It made a small difference," said Ponemon. "It's harder to see what's on the screen."
In addition to privacy screens, other factors that made a noticeable difference in the amount of information collected were clean desk policies, standardized document shredding policies, suspicious reporting processes, and mandatory training and awareness.
Ponemon admitted that the researchers had more time in the office than a criminal there under false presence might have.
"If you were a flower delivery or pizza delivery guy, you would probably be moving pretty fast," he said.
However, he added that in about half of the offices, the first piece of sensitive information was spotted within the first 15 minutes.
In addition, depending on the pretense, a hacker might have more time in the office -- and a malicious insider would have all the time in the world.